Details

Updated kernel packages that fix multiple security issues and several bugsare now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linuxoperating system.

* Buffer overflow flaws in the Linux kernel's netlink-based wirelessconfiguration interface implementation could allow a local user, who hasthe CAP_NET_ADMIN capability, to cause a denial of service or escalatetheir privileges on systems that have an active wireless interface.(CVE-2011-2517, Important)

* A flaw was found in the way the Linux kernel's Xen hypervisorimplementation emulated the SAHF instruction. When using afully-virtualized guest on a host that does not use hardware assistedpaging (HAP), such as those running CPUs that do not have support for (orthose that have it disabled) Intel Extended Page Tables (EPT) or AMDVirtualization (AMD-V) Rapid Virtualization Indexing (RVI), a privilegedguest user could trigger this flaw to cause the hypervisor to crash.(CVE-2011-2519, Moderate)

* An off-by-one flaw was found in the __addr_ok() macro in the Linuxkernel's Xen hypervisor implementation when running on 64-bit systems. Aprivileged guest user could trigger this flaw to cause the hypervisor tocrash. (CVE-2011-2901, Moderate)

* /proc/[PID]/io is world-readable by default. Previously, these filescould be read without any further restrictions. A local, unprivileged usercould read these files, belonging to other, possibly privileged processesto gather confidential information, such as the length of a password usedin a process. (CVE-2011-2495, Low)

Red Hat would like to thank Vasily Averin for reporting CVE-2011-2491, andVasiliy Kulikov of Openwall for reporting CVE-2011-2495.

This update also fixes several bugs. Documentation for these bug fixes willbe available shortly from the Technical Notes document linked to in theReferences section.

Users should upgrade to these updated packages, which contain backportedpatches to correct these issues, and fix the bugs noted in the TechnicalNotes. The system must be rebooted for this update to take effect.

Solution

Before applying this update, make sure all previously-released erratarelevant to your system have been applied.

To install kernel packages manually, use "rpm -ivh [package]". Do notuse "rpm -Uvh" as that will remove the running kernel binaries fromyour system. You may use "rpm -e" to remove old kernels afterdetermining that the new kernel functions properly on your system.